DETAILED ACTION
Continued Examination Under 37 CFR 1.114
A request for continued examination under 37 CFR 1.114, including the fee set forth in 37 CFR 1.17(e), was filed in this application after final rejection.  Since this application is eligible for continued examination under 37 CFR 1.114, and the fee set forth in 37 CFR 1.17(e) has been timely paid, the finality of the previous Office action has been withdrawn pursuant to 37 CFR 1.114.  Applicant’s submission filed on 4/9/2021, for application 16/653,350 has been entered. 
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .
This Office Action is in response to the Amendment filed on 4/9/2021.

Examiner’s Amendment
An Examiner’s Amendment to the record appears below.  Should the changes and/or additions be unacceptable to Applicant, an amendment may be filed as provided by 37 CFR 1.312. To ensure consideration of such an amendment, it MUST be submitted no later than the payment of the issue fee.
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. Clinton J. King (Reg. No. 70,960) on June 15, 2021.  During the telephone conference, Mr. King has agreed and authorized the Examiner to amend Claims 1, 12, and 20, and to cancel claim 14.
Claims
Replacing Claims 1, 12, and 20 and canceling claim 14 as following:
Claim 1:	 (Currently Amended) A method comprising:  
receiving a first access request identifying a protected resource from a client device, the first access request including an identifier;
generating a user interface that includes a plurality of graphical objects for presentation at random locations on a display of the client device as defined by a first object map, wherein: 
the plurality of graphical objects includes a set of user-defined objects associated with the identifier that define a graphical password based on a sequence-based criterion that specifies an order for selecting each user-defined object among the set of user-defined objects,
the graphical password is further defined by a behavior-based criterion that specifies a characteristic of an interaction for selecting at least one user-defined object among the set of user-defined objects,
each user-defined object among the set of user-defined objects shares a common visual attribute, and
the first object map comprises a graphical object display position mapping data that is stored and accessed at the user interface;
storing configuration information in the first object map that represents a location in which a display position of a particular graphical object within the user interface is mapped to that graphical object; 

determining, based on the input data, location data comprising a location of selected graphical objects of the plurality of graphical objects based on each position on the display;  
determining that the location data of the input data satisfies the graphical password using the configuration information in the first object map; and
in response to determining that the input data satisfies the graphical password, granting access to the protected resource.

Claim 12:	(Currently Amended) A system comprising:
	an electronic device with a display;
	a processor; and
	a computer-readable storage medium comprising instructions that upon execution by the processor cause the system to perform operations, the operations comprising:
sending an access request identifying a protected resource to an access service associated with a host server, the access request including an identifier;
in response, receiving a user interface from the access service that includes a plurality of graphical objects for presentation at random locations on the display as defined by a first object map, wherein:  
the plurality of graphical objects includes a set of user-defined objects associated with the identifier that define a graphical password based on a sequence-based criterion that specifies an order for selecting each user-defined object among the set of user-defined objects,
the graphical password is further defined by a behavior-based criterion that specifies a characteristic of an interaction for selecting at least one user-defined object among the set of user-defined objects,
each user-defined object among the set of user-defined objects shares a common visual attribute, 
the first object map comprises a graphical object display position mapping data that is stored and accessed at the user interface, and 
configuration information is stored in the first object map that represents a location in which a display position of a particular graphical object within the user interface is mapped to that graphical object;
recording input data including an input event for each detected interaction with the user interface while presenting the user interface on the display, each input event identifying a position on the display at which a corresponding interaction was detected;
determining, based on the input data, location data comprising a location of selected graphical objects of the plurality of graphical objects based on each position on the display;   
sending the location data of the input data including each recorded input event to the access service, wherein the access service determines whether the input data satisfies the graphical password using the configuration information in the first object map; and 
receiving access to the protected resource when the access service determines that the input data satisfies the graphical password using the first object map that defines randomly assigned positions for presenting the plurality of graphical objects on the display.

Claim 14:	(Cancelled) 


Claim 20:	(Currently Amended) A non-transitory computer-readable storage medium, storing program instructions that upon execution by a processor of a computing device, cause the computing device to perform operations comprising:
	at an access service associated with a host server:
	generating a user interface that includes a plurality of graphical objects for presentation at random locations on a display of a client device as defined by a first object map, wherein: 
the plurality of graphical objects includes a set of user-defined objects associated with an identifier that define a graphical password based on a sequence-based criterion that specifies an order for selecting each user-defined object among the set of user-defined objects,
the graphical password is further defined by a behavior-based criterion that specifies a characteristic of an interaction for selecting at least one user-defined object among the set of user-defined objects,
each user-defined object among the set of user-defined objects share a common visual attribute, and
the first object map comprises a graphical object display position mapping data that is stored and accessed at the user interface;
storing configuration information in the first object map that represents a location in which a display position of a particular graphical object within the user interface is mapped to that graphical object; 
receiving input data including an input event for each interaction with the user interface that the client device detects, the input event for each interaction identifying a position on the display at which a corresponding interaction was detected; 

determining that the location data of the input data satisfies the graphical password using the configuration information in the first object map; and 
in response to determining that the input data satisfies the graphical password, granting access to a protected resource.

Examiner's Statement of reason for Allowance
Claims 1-5, 7-12, and 15-20 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The present invention is directed to a method, a system, and a non-transitory computer-readable storage medium for multi-factor authentication using graphical passwords. An access request that includes an identifier and which identifies a protected resource is received from a client device. An interface is generated having a plurality of graphical objects for presentation at random locations on a display of the client device as defined by an object map. The plurality of graphical objects include a null object and a set of user-defined objects associated with the identifier that define a graphical password. Input data including an input event for each detected interaction with the interface is received. Each input event identifies a position on the display at which a corresponding interaction was detected. Using the object map, it is determined that the input data satisfies the graphical password. Access to the protected resource is granted in response to determining that the input data satisfies the graphical password.
The closest prior art, as previously recited, Pering (US20040093527) and Jalili (US6209104), are also generally directed to various aspects of graphical authentication.  However, none of Pering and Jalili teaches or suggests, alone or in combination, the particular combination of steps or elements as recited in the independent claims, claims 1, 12, and 20.  For example, none of the cited prior art teaches or suggest the steps of generating a user interface that includes a plurality of graphical objects for presentation at random locations on a display of the client device as defined by a first object map, wherein:  the plurality of graphical objects includes a set of user-defined objects associated with the identifier that define a graphical password based on a sequence-based criterion that specifies an order for selecting each user-defined object among the set of user-defined objects, the graphical password is further defined by a behavior-based criterion that specifies a characteristic of an interaction for selecting at least one user-defined object among the set of user-defined objects, each user-defined object among the set of user-defined objects shares a common visual attribute, and storing configuration information in the first object map that represents a location in which a display position of a particular graphical object within the user interface is mapped to that graphical object.
Therefore the claims are allowable over the cited prior art.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”


Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to WALTER J MALINOWSKI whose telephone number is (571)272-5368.  The examiner can normally be reached on 8-6:30 MTWH.
Examiner interviews are available via telephone, in-person, and video conferencing using a USPTO supplied web-based collaboration tool. To schedule an interview, applicant is encouraged to use the USPTO Automated Interview Request (AIR) at http://www.uspto.gov/interviewpractice.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, LUU PHAM can be reached on 5712705002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300.
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see https://ppair-my.uspto.gov/pair/PrivatePair. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.




/W.J.M/Examiner, Art Unit 2439   


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439